1. Diameter Security Application User Guide with UDR
  2. General Recommendations

A General Recommendations

While configuring the DSA, consider the following:
  1. Increase the resource allocation to achieve desired throughput. Details for increasing the resource allocation is provided in Activating DSA.
  2. Ensure that after enabling a countermeasure, its related configuration tables are configured properly for countermeasure to take effect. In the case of no configuration or invalid configuration, countermeasure do not have any effect. The following table provides the configuration tables associated with countermeasures.

    Table A-1 Countermeasure Configuration

    Countermeasure Name Configuration Table
    Origin Realm and Destination Realm Whitelist Screening Countermeasure Realm_List
    Application ID Whitelist Screening Countermeasure AppIdWL_Config
    Application ID and Command Code Consistency Check Countermeasure AppCmdCst_Config
    AVP Instance Check Countermeasure AVPInstChk_Config
    VPLMN ID and Origin Realm Consistency Check Countermeasure VplmnORCst_Config
    Specific AVP Screening Countermeasure SpecAVPScr_Config
    Measure Rate Monitoring Countermeasure MsgRateMon_Config
  3. For validating the configurations, set the Operating Mode parameter in Security_Countermeasure_Config table as Detection_Only. Once configurations are validated, then the Operating Mode parameter can be changed as desired.
  4. For stateful countermeasures, set the Operating Mode parameter in Security_Countermeasure_Config table as Detection_Only for at least the first 24 hours. This allows the security application to learn about any subscribers who are already roaming in partner networks without impacting their service. The operating mode can be changed to Detection and Correction after that period, if desired by the operator.
  5. Set the value for the Error Action if UDR Failure parameter (in the System_Config_Options table) as Continue Processing to ensure the requests are not dropped and roaming subscribers continue to receive service in case of any UDR error (though it is a rare occurrence). Also change the Operating mode for any enabled stateful countermeasures (in the Security_Countermeasure_Config table) to Detection_Only for 24 hours (revert to original after 24 hours) if UDR errors are observed.
  6. To share the common UDR database, between the DSA of different sites, the SOs need to be under the same NO.

Note:

The following error is received during performance run, if the call rate is more than 1.7k in each MP DSA:
UDR Internal Error: Create record failed. Error Code = SendError
This is caused due to comagent connection getting timeout due to ttl expired.
Communication Agent Reliable Transaction Failed}  .. GN_INFO/INF Failure reason = Time to live limit exceeded
To avoid this, run the following commands from Active DSR NOAM before running performance traffic:
iset -fvalue=400 ComAgtConfigParams where "name='IntraNe Maximum Timeout Value'"
iset -fvalue=3 ComAgtConfigParams where "name='Maximum Number Of Retries'"